🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-kubernetes-compliance
Overview
4Dashboards
790Benchmarks
781Queries
2Variables
GitHub

Control: Pod Security Policy should prohibit privilege escalation

Description

Pod Security Policy `allowPrivilegeEscalation` controls whether the Pod containers may request for privilege escalation. Containers in a Pod should not allow privilege escalation. A container running with the `allowPrivilegeEscalation` flag set to true may have processes that can gain more privileges than their parent.

Usage

Run the control in your terminal:

powerpipe control run kubernetes_compliance.control.pod_security_policy_container_privilege_escalation_disabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run kubernetes_compliance.control.pod_security_policy_container_privilege_escalation_disabled --share

SQL

This control uses a named query:

select
  coalesce(uid, concat(path, ':', start_line)) as resource,
  case
    when not allow_privilege_escalation then 'ok'
    else 'alarm'
  end as status,
  case
    when not allow_privilege_escalation then 'Pod security policy ' || name || ' pods can not request to allow privilege escalation.'
    else 'Pod security policy ' || name || ' pods can request to allow privilege escalation.'
  end as reason
  
  , coalesce(context_name, '') as context_name, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as path
from
  kubernetes_pod_security_policy;

Tags

category = Compliance
nsa_cisa_v1 = true
plugin = kubernetes
service = Kubernetes/PodSecurityPolicy